Operating System:

[BSD][FreeBSD]

Published:

21 November 2000

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2000.357 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                      ESB-2000.357 -- FreeBSD-SA-00:68
             ncurses allows local privilege escalation [REVISED]
                              22 November 2000

===========================================================================

	AusCERT Security Bulletin Summary
	---------------------------------

Product:                ncurses
Vendor:                 FreeBSD Ports Collection
Operating System:       FreeBSD
                        BSD
Impact:                 Increased Privileges
                        Execute Arbitrary Code/Commands
Access Required:        Local

Ref:                    ESB-2000.338

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:68                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          ncurses allows local privilege escalation [REVISED]

Category:       core, ports
Module:         ncurses
Announced:      2000-11-13
Revised:        2000-11-20
Affects:        FreeBSD 5.0-CURRENT, 4.x prior to the correction date.
                FreeBSD 3.x not yet fixed.
Corrected:      2000-10-11 (FreeBSD 4.1.1-STABLE)
                2000-11-10 (ncurses port)
Credits:        Jouko Pynnonen <jouko@SOLUTIONS.FI>
FreeBSD only:   NO

0.   Revision History

v1.0  2000-11-13  Initial release
v1.1  2000-11-20  Corrected status of 3.x, referenced ncurses port

I.   Background

ncurses is a text-mode display library used for formatting the output
of applications on a variety of terminals.  It is externally
maintained, contributed code which is included in FreeBSD by default.

II.  Problem Description

There exists an overflowable buffer in the libncurses library in the
processing of cursor movement capabilities.  An attacker can force a
privileged application to use the attacker's termcap file containing a
specially crafted terminal entry, which will trigger the vulnerability
when the vulnerable ncurses code is called.  This allows them to
execute arbitrary code on the local system with the privileges of the
exploited binary.

The systat utility included in the FreeBSD base system is known to use
vulnerable ncurses routines.  It runs with increased privileges as a
member of the kmem group, which allows it to read from kernel memory
(but not write to it).  A process with the ability to read from kernel
memory can monitor privileged data such as network traffic, disk
buffers and terminal activity, and may be able to leverage this to
obtain further privileges on the local system or on other systems,
including root privileges.

There may be other vulnerable applications included in the FreeBSD
base system, but no others are confirmed to be vulnerable due to the
difficulty in identifying a complete list of vulnerable ncurses
functions.  However the following is a complete list of FreeBSD system
binaries which link against ncurses and run with increased
privileges. They may or may not be vulnerable to exploitation.

/usr/sbin/lpc
/usr/bin/top
/usr/bin/systat

FreeBSD 3.x and earlier versions use a very old, customized version of
ncurses which is difficult to update without breaking
backwards-compatibility.  The update was made for FreeBSD 4.0, but 3.x
will not be updated to the newer version.  At this stage the
vulnerability has not been fixed in FreeBSD 3.x.

The ncurses port (versions prior to 5.2) also contains this
vulnerability.  It was corrected prior to the release of FreeBSD 4.2.

III. Impact

Certain setuid/setgid software (including FreeBSD base system
utilities and third party ports/packages) may be vulnerable to a local
exploit yielding privileged access.

The /usr/bin/systat utility is known to be vulnerable to this problem
in ncurses.  At this time is unknown whether /usr/bin/top and
/usr/sbin/lpc are also affected.

The problems were corrected prior to the release of FreeBSD 4.2.

IV.  Workaround

It is not feasible to reliably detect binaries which are vulnerable to
the ncurses vulnerability, however the provided utility will scan for
privileged binaries which use ncurses and which may potentially be
vulnerable.  Some of the binaries reported may not in fact be
vulnerable, but should be recompiled anyway for maximum assurance of
security.

Statically linked binaries which are identified as potentially
vulnerable should be recompiled from source code if possible, after
patching and recompiling libc, in order to correct the vulnerability.
Dynamically linked binaries will be corrected by simply patching and
recompiling libc as described below.

As an interim measure, consider removing any identified setuid or
setgid binary, removing set[ug]id privileges from the file, or
limiting the file access permissions, as appropriate.

Of course, it is possible that some of the identified files may be
required for the correct operation of your local system, in which case
there is no clear workaround except for limiting the set of users who
may run the binaries, by an appropriate use of user groups and
removing the "o+x" file permission bit.

1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh

e.g. with the fetch(1) command:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
Receiving scan_ncurses.sh (381 bytes): 100%
381 bytes transferred in 0.1 seconds (7.03 kBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
Receiving test_ncurses.sh (604 bytes): 100%
604 bytes transferred in 0.1 seconds (6.55 kBps)

2) Verify the md5 checksums and compare to the value below:

# md5 scan_ncurses.sh
MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
# md5 test_ncurses.sh
MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e

3) Run the scan_ncurses.sh script against your system:

# chmod a+x ./test_ncurses.sh
# sh scan_ncurses.sh ./test_ncurses.sh /

This will scan your entire system for setuid or setgid binaries which
make use of the ncurses library.  Each returned binary should be
examined (e.g. with 'ls -l' and/or other tools) to determine what
security risk it poses to your local environment, e.g. whether it can
be run by arbitrary local users who may be able to exploit it to gain
privileges.

4) Remove the binaries, or reduce their file permissions, as appropriate.

V.   Solution

Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the
correction date, or patch your present system source code and
rebuild.  Then run the scan_ncurses.sh script as instructed in section
IV and identify any statically-linked binaries as reported by the
script.  These should either be removed, recompiled, or have privileges
restricted to secure them against this vulnerability (since
statically-linked binaries will not be affected by simply recompiling
the shared libc library).

To patch your present system: download the updated ncurses code from
the below location, and execute the following commands as root:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src
tar xvfz /path/to/ncurses.tar.gz
cd /usr/src/lib/libncurses
make all
make install

In contrast to the usual practise, a simple patch fixing the security
vulnerability is not provided because the vendor did not make one
available, and the updated ncurses snapshot which fixed it contains
numerous other changes whose purpose and relation to the fix was
unclear.

[ncurses port]

If you have installed a vulnerable version of the ncurses port, one of
the following steps may be used to upgrade it:

1) Upgrade your entire ports collection and rebuild the ncurses port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/ncurses-5.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/ncurses-5.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/ncurses-5.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/ncurses-5.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/ncurses-5.2.tgz

3) download a new port skeleton for the ncurses port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOhmaFlUuHi5z0oilAQG5MwP9FStZoFKPCqfciIbIcFrE0wLYuEOeI24S
j9D4rSwU1ALzHB7DMpeXmju5pDRROmgUTIOGnBN9FcXZly4lDN3Y9yyIeW6Ia5UZ
wWbkhxsn573kD3P00WHAB1F1ccbbK4+SPNLkdJDgyyqAC4SdgeJEg5+z+Wcx7d3E
t/Xsv/X1ylA=
=ZiMW
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOlSNRyh9+71yA2DNAQHGtQP9HLv0YFUYhzV196UWQ7xbyaLB1Yk+WF2W
WJcL3IMyQ/F4XIaCshyHetyQCR4mSdF3UK1+Tpc3fweDFHmPhAx22CZ9iv6Af0l6
gx3GjPZy7dschThP4Y9wVRy+udlC5Lcfqu53wBhcpPxsD9S/79PRGW34L/+qRIPm
QkgjjgRUtq0=
=yPre
-----END PGP SIGNATURE-----